CISA ED 22-03: Mitigate VMware Vulnerabilities

Federal Civilian Executive Branch (FCEB) agencies are at risk from recently disclosed vulnerabilities (CVEs) in several VMware products. These vulnerabilities, exploited by malicious actors, allow attackers to gain unauthorized access to systems and potentially compromise sensitive information.

Background

Federal Civilian Executive Branch (FCEB) agencies are at risk from recently disclosed vulnerabilities (CVEs) in several VMware products. These vulnerabilities, exploited by malicious actors, allow attackers to gain unauthorized access to systems and potentially compromise sensitive information.

Affected Products:

- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager

Impact:

Exploiting these vulnerabilities can lead to:

- Remote code execution: Attackers can take full control of affected systems.
- Privilege escalation: Gaining "root" access, allowing complete control over the system.
- Unauthorized access: Attackers can access systems without needing to authenticate.

Urgency:

CISA (Cybersecurity & Infrastructure Security Agency) considers these vulnerabilities a serious threat and requires emergency action by all FCEB agencies.

Required Actions:

By May 23, 2022, 5:00 PM EDT:

Identify all affected VMware products on your network.

For each identified product:

Apply the security update: Download and install the patch from https://www.vmware.com/security/advisories/VMSA-2022-0014.html.
OR: If unable to update, immediately remove the product from the network until a patch becomes available.

If the product is unsupported: (end-of-service or end-of-life) immediately remove it from the network.

For internet-facing affected products:
- Assume compromise: Disconnect the product from the production network and investigate for signs of malicious activity.
- Report any suspicious activity to CISA: [email address removed].
- Reconnect the product only after investigation and applying updates.

Additional Notes:

CISA previously added CVE-2022-22954 and CVE-2022-22960 to its list of known exploited vulnerabilities (KEVs).
CISA will continue to monitor for exploitation and update its recommendations as needed.

By taking these actions promptly, FCEB agencies can mitigate the risk of compromise from these critical vulnerabilities.

Article Details:

Release Date: 18-May-2022

Source: U.S. CISA - https://www.cisa.gov/news-events/directives/ed-22-03-mitigate-vmware-vulnerabilities